bitrat | 8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

Resubmissions

17-04-2024 14:54

240417-r96wzada86 10

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

15-04-2024 13:19

10-04-2024 12:02

10-04-2024 12:02

Analysis

max time kernel
1798s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17-04-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75bff99becc32bcbe56efbe7a75f4d45.exe
Size

7.0MB
MD5

75bff99becc32bcbe56efbe7a75f4d45
SHA1

81bfcc77809161a5254a27d3d4d30548c96fcd5b
SHA256

8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2
SHA512

940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69
SSDEEP

49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

Score

10^/10

bitrat zgrat persistence rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion:80

Attributes

communication_password
d93b4f1ee6f5b875a4f7fcef966bd09a
tor_process
WinSock

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral5/memory/3568-8-0x00000000035D0000-0x0000000003652000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-9-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-10-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-12-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-14-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-16-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-18-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-20-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-22-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-24-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-26-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-28-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-30-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-32-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-34-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-36-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-38-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-40-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-42-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-44-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-46-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-48-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-50-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-52-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-54-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-56-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-58-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-60-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-62-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-64-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-66-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-68-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-70-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1
behavioral5/memory/3568-72-0x00000000035D0000-0x000000000364C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\","	75bff99becc32bcbe56efbe7a75f4d45.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	acprotect

Executes dropped EXE 61 IoCs

Processes:

WinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exe

pid	process
2064	WinSock.exe
3424	WinSock.exe
1064	WinSock.exe
2900	WinSock.exe
3912	WinSock.exe
2856	WinSock.exe
4768	WinSock.exe
2368	WinSock.exe
3360	WinSock.exe
872	WinSock.exe
2204	WinSock.exe
2552	WinSock.exe
2684	WinSock.exe
1996	WinSock.exe
4596	WinSock.exe
2700	WinSock.exe
4572	WinSock.exe
2852	WinSock.exe
908	WinSock.exe
968	WinSock.exe
1484	WinSock.exe
4620	WinSock.exe
1920	WinSock.exe
3716	WinSock.exe
1460	WinSock.exe
4536	WinSock.exe
4088	WinSock.exe
464	WinSock.exe
4168	WinSock.exe
2532	WinSock.exe
4592	WinSock.exe
3032	WinSock.exe
3164	WinSock.exe
3916	WinSock.exe
4544	WinSock.exe
2816	WinSock.exe
2280	WinSock.exe
4568	WinSock.exe
2024	WinSock.exe
4216	WinSock.exe
1400	WinSock.exe
3456	WinSock.exe
976	WinSock.exe
2256	WinSock.exe
4748	WinSock.exe
3368	WinSock.exe
4008	WinSock.exe
4932	WinSock.exe
1996	WinSock.exe
5060	WinSock.exe
4364	WinSock.exe
3904	WinSock.exe
2088	WinSock.exe
3952	WinSock.exe
5056	WinSock.exe
4920	WinSock.exe
2616	WinSock.exe
788	WinSock.exe
2372	WinSock.exe
1584	WinSock.exe
1548	WinSock.exe

Loads dropped DLL 64 IoCs

Processes:

WinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exe

pid	process
2064	WinSock.exe
2064	WinSock.exe
2064	WinSock.exe
2064	WinSock.exe
2064	WinSock.exe
2064	WinSock.exe
2064	WinSock.exe
2064	WinSock.exe
2064	WinSock.exe
3424	WinSock.exe
3424	WinSock.exe
3424	WinSock.exe
3424	WinSock.exe
3424	WinSock.exe
3424	WinSock.exe
3424	WinSock.exe
1064	WinSock.exe
1064	WinSock.exe
1064	WinSock.exe
1064	WinSock.exe
1064	WinSock.exe
1064	WinSock.exe
1064	WinSock.exe
1064	WinSock.exe
2900	WinSock.exe
2900	WinSock.exe
2900	WinSock.exe
2900	WinSock.exe
2900	WinSock.exe
2900	WinSock.exe
2900	WinSock.exe
3912	WinSock.exe
3912	WinSock.exe
3912	WinSock.exe
3912	WinSock.exe
3912	WinSock.exe
3912	WinSock.exe
3912	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
2368	WinSock.exe
2368	WinSock.exe
2368	WinSock.exe
2368	WinSock.exe
2368	WinSock.exe
2368	WinSock.exe
2368	WinSock.exe
2368	WinSock.exe
3360	WinSock.exe
3360	WinSock.exe
3360	WinSock.exe
3360	WinSock.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe	upx
behavioral5/memory/2064-2462-0x0000000000170000-0x0000000000574000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll	upx
behavioral5/memory/2064-2478-0x0000000073760000-0x0000000073A2F000-memory.dmp	upx
behavioral5/memory/2064-2479-0x0000000073690000-0x000000007375E000-memory.dmp	upx
behavioral5/memory/2064-2480-0x0000000073640000-0x0000000073689000-memory.dmp	upx
behavioral5/memory/2064-2482-0x0000000073610000-0x0000000073634000-memory.dmp	upx
behavioral5/memory/2064-2483-0x0000000073540000-0x0000000073608000-memory.dmp	upx
behavioral5/memory/2064-2484-0x0000000073430000-0x000000007353A000-memory.dmp	upx
behavioral5/memory/2064-2485-0x00000000733A0000-0x0000000073428000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	upx
behavioral5/memory/2064-2538-0x0000000000170000-0x0000000000574000-memory.dmp	upx
behavioral5/memory/2064-2545-0x0000000073760000-0x0000000073A2F000-memory.dmp	upx
behavioral5/memory/2064-2546-0x0000000073690000-0x000000007375E000-memory.dmp	upx
behavioral5/memory/2064-2550-0x0000000073540000-0x0000000073608000-memory.dmp	upx
behavioral5/memory/3424-2591-0x0000000073760000-0x0000000073A2F000-memory.dmp	upx
behavioral5/memory/3424-2589-0x0000000000170000-0x0000000000574000-memory.dmp	upx
behavioral5/memory/3424-2594-0x0000000073540000-0x0000000073608000-memory.dmp	upx
behavioral5/memory/3424-2596-0x0000000073690000-0x000000007375E000-memory.dmp	upx
behavioral5/memory/2064-2597-0x0000000000170000-0x0000000000574000-memory.dmp	upx
behavioral5/memory/3424-2600-0x0000000073610000-0x0000000073634000-memory.dmp	upx
behavioral5/memory/3424-2598-0x0000000073640000-0x0000000073689000-memory.dmp	upx
behavioral5/memory/3424-2602-0x0000000073430000-0x000000007353A000-memory.dmp	upx
behavioral5/memory/3424-2604-0x00000000733A0000-0x0000000073428000-memory.dmp	upx
behavioral5/memory/3424-2612-0x0000000073760000-0x0000000073A2F000-memory.dmp	upx
behavioral5/memory/3424-2611-0x0000000000170000-0x0000000000574000-memory.dmp	upx
behavioral5/memory/3424-2613-0x0000000073540000-0x0000000073608000-memory.dmp	upx
behavioral5/memory/3424-2610-0x0000000073690000-0x000000007375E000-memory.dmp	upx
behavioral5/memory/1064-2631-0x0000000073640000-0x0000000073689000-memory.dmp	upx
behavioral5/memory/1064-2632-0x0000000073610000-0x0000000073634000-memory.dmp	upx
behavioral5/memory/1064-2634-0x0000000073470000-0x00000000734F8000-memory.dmp	upx
behavioral5/memory/1064-2633-0x0000000073500000-0x000000007360A000-memory.dmp	upx
behavioral5/memory/1064-2636-0x00000000733A0000-0x000000007346E000-memory.dmp	upx
behavioral5/memory/1064-2637-0x0000000073760000-0x0000000073A2F000-memory.dmp	upx
behavioral5/memory/1064-2628-0x0000000073690000-0x0000000073758000-memory.dmp	upx
behavioral5/memory/1064-2652-0x0000000000170000-0x0000000000574000-memory.dmp	upx
behavioral5/memory/2900-2695-0x0000000000170000-0x0000000000574000-memory.dmp	upx
behavioral5/memory/2900-2698-0x0000000073760000-0x0000000073A2F000-memory.dmp	upx
behavioral5/memory/2900-2699-0x0000000073690000-0x0000000073758000-memory.dmp	upx
behavioral5/memory/2900-2704-0x0000000073640000-0x0000000073689000-memory.dmp	upx
behavioral5/memory/2900-2701-0x00000000733A0000-0x000000007346E000-memory.dmp	upx
behavioral5/memory/2900-2706-0x0000000073500000-0x000000007360A000-memory.dmp	upx
behavioral5/memory/2900-2710-0x0000000073470000-0x00000000734F8000-memory.dmp	upx
behavioral5/memory/1064-2709-0x0000000000170000-0x0000000000574000-memory.dmp	upx
behavioral5/memory/2900-2705-0x0000000073610000-0x0000000073634000-memory.dmp	upx
behavioral5/memory/2900-2718-0x0000000073610000-0x0000000073634000-memory.dmp	upx

Looks up external IP address via web service 39 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
320	myexternalip.com
32	myexternalip.com
38	myexternalip.com
98	myexternalip.com
124	myexternalip.com
131	myexternalip.com
260	myexternalip.com
67	myexternalip.com
237	myexternalip.com
307	myexternalip.com
243	myexternalip.com
45	myexternalip.com
80	myexternalip.com
104	myexternalip.com
210	myexternalip.com
7	myexternalip.com
11	myexternalip.com
52	myexternalip.com
117	myexternalip.com
138	myexternalip.com
25	myexternalip.com
174	myexternalip.com
181	myexternalip.com
217	myexternalip.com
224	myexternalip.com
290	myexternalip.com
61	myexternalip.com
92	myexternalip.com
147	myexternalip.com
167	myexternalip.com
189	myexternalip.com
195	myexternalip.com
314	myexternalip.com
18	myexternalip.com
110	myexternalip.com
154	myexternalip.com
203	myexternalip.com
283	myexternalip.com
301	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 42 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid	process
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe
3152	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

description pid process target process

PID 3568 set thread context of 3152 3568 75bff99becc32bcbe56efbe7a75f4d45.exe 75bff99becc32bcbe56efbe7a75f4d45.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid process

3568 75bff99becc32bcbe56efbe7a75f4d45.exe
3568 75bff99becc32bcbe56efbe7a75f4d45.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid process

3152 75bff99becc32bcbe56efbe7a75f4d45.exe

description	pid	process	target process
PID 3568 set thread context of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe

pid	process
3568	75bff99becc32bcbe56efbe7a75f4d45.exe
3568	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe75bff99becc32bcbe56efbe7a75f4d45.exe

description	pid	process
Token: SeDebugPrivilege	3568	75bff99becc32bcbe56efbe7a75f4d45.exe
Token: SeShutdownPrivilege	3152	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid process

3152 75bff99becc32bcbe56efbe7a75f4d45.exe
3152 75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe75bff99becc32bcbe56efbe7a75f4d45.exe

description	pid	process	target process
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3568 wrote to memory of 3152	3568	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3152 wrote to memory of 2064	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2064	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2064	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3424	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3424	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3424	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 1064	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 1064	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 1064	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2900	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2900	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2900	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3912	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3912	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3912	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2856	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2856	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2856	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4768	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4768	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4768	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2368	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2368	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2368	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3360	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3360	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 3360	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 872	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 872	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 872	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2204	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2204	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2204	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2552	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2552	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2552	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2684	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2684	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2684	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 1996	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 1996	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 1996	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4596	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4596	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4596	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2700	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2700	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2700	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4572	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4572	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 4572	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 3152 wrote to memory of 2852	3152	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3424

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3912

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4768

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3360

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:872

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2204

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2700

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:908

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:968

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3716

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1460

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4536

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:464

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4168

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2532

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4592

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3916

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4544

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2280

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4568

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1400

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3456

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:976

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4748

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3368

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4008

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4932

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4364

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2088

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:5056

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:4920

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:788

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-certs
Filesize
20KB

MD5
ec231d1c4fa003ae2338b520eb9c3b73

SHA1
0d4fa45482ae04d992fa81805f5efbdf7a3e813a

SHA256
3257df9a2bab5dc367004a3a3a2d5f6d84e6e504b8b0f7151d7739a9435cae48

SHA512
02fe3558763bc8cb99d711758aa6d36e0dab80e92e4a09074127762256434f9665fbad0fa222b771907e7ac4aeee236a5ad80cc767e7399f3b338e0cb5314b15

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus
Filesize
2.6MB

MD5
824d601100461dff98727da8170c4db0

SHA1
b9734355b4ecc7021f0985dbb4c2227fe21bd882

SHA256
a212dc71ce3cb610fe044bbfe0301a48d464cea4dfba3b9e402a12cdc79a86d0

SHA512
0bc856b9671a4a858cca76ed8ed9b556ff237a04e2b4b0feac2fdfd7b72331d3fe822153a3d27c146ff73580b9a98e1d122a9e6bf9da0d69db6e3f5868599aec

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs
Filesize
20.1MB

MD5
9252b39dc870ea4fd3f95e56b7c86fa1

SHA1
9aa4f425b19a94d0794d667f5df7a9f8cbef87b1

SHA256
b8fd98456c2824fc6343e6dd22c5b7af049dfe2caf150e3be9c533f004fad349

SHA512
9080d376171811526eb09bc8b0a3e8a66a8167d9822c6844fc6ca25a1de32d86e1fd804015773924d985650987d5f54f13a247cbf006ce0892341b0f46276206

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new
Filesize
9.5MB

MD5
fef8d25951e414ea4623d85b361860e5

SHA1
0cd5c14099ab44d6ae497004d7bc0305bbe49afb

SHA256
f14a3e68f377c4ead95883b900e99502d1e6b2347c855581bb4a60bee31c36d8

SHA512
b8763103e0d62d98ec6da0eec270059e90611f3855863e0d32f6d386ec7eba38d47c01c7fa99a0a8e6a696857b64e71fa7ce91f045acc6623eb56bb58882ba11

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new
Filesize
20.1MB

MD5
3f8705cc0c87ad1c8f31df635d4a1974

SHA1
341885472feb370d04d5f9c215df13047f18c1e0

SHA256
7fe84141f4c58163a6c4726ee2117f40da594df1c1d9a385a0b8c2b5785aff82

SHA512
2bc891707d39d1b90d2094a046e84ea0189e59a2fb4a1c8f27ca4b3d80204426ea20dcf3ed5bd086bcda2270d7123f9592e0506ff2db8be41fddaf954384fbb0

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state
Filesize
232B

MD5
672d9d5198a71e2a243b324d149e9a39

SHA1
9dbc574a86af9aca61c880d76de2f98e57af8aa3

SHA256
a0e079fb09cd9be4efc20ccbd6b250a8d147fe940f21958dc029728139c63153

SHA512
cff4fe54eab4f6d0da94c383bff422d4825ccc8888a470b5930d39919de9d90788aa164f4b83d3885afed3fb7b53f8fa3350f78e0f1a1c2b10571fefff8ce558

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state
Filesize
3KB

MD5
22242067bb26ea23cce977a80a0506aa

SHA1
50bbf8a0f46fea69874f44549aad29f4058d3f0d

SHA256
33154bbe804f45c00e16ef6427ce973e854fdf97d9e5082307c6389edd4d1d1c

SHA512
79a276cbc0fe55ae8ec332e46178d0f6b4fef4b02a68cffef1bae90a8584058306c3e0ad941c88657e9ceb7cd82c9a45488ef35e6df68b09b09afbdf5c7f326c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\torrc
Filesize
157B

MD5
68afdef35a6105c2b148649bd05901b0

SHA1
828a2b590a95c2a411cc1b0004207747f2571024

SHA256
4e4e4e7f9fb03bcb898ce4f6075e3082d3a341d9fff1955ddf45089f83565622

SHA512
f198da05ec57c8525e6643f7f2c212701d0ab641d2850a28ce4cea7c33ac7b5c75782273bf7f01f95ccf02e27adf7c237ed116c5b0f220c13e70fe0aa7cfc671

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1064-2661-0x0000000001850000-0x00000000018D8000-memory.dmp

Filesize
544KB

Download
memory/1064-2652-0x0000000000170000-0x0000000000574000-memory.dmp

Filesize
4.0MB

Download
memory/1064-2628-0x0000000073690000-0x0000000073758000-memory.dmp

Filesize
800KB

Download
memory/1064-2707-0x0000000001850000-0x00000000018D8000-memory.dmp

Filesize
544KB

Download
memory/1064-2637-0x0000000073760000-0x0000000073A2F000-memory.dmp

Filesize
2.8MB

Download
memory/1064-2636-0x00000000733A0000-0x000000007346E000-memory.dmp

Filesize
824KB

Download
memory/1064-2635-0x0000000001850000-0x00000000018D8000-memory.dmp

Filesize
544KB

Download
memory/1064-2633-0x0000000073500000-0x000000007360A000-memory.dmp

Filesize
1.0MB

Download
memory/1064-2634-0x0000000073470000-0x00000000734F8000-memory.dmp

Filesize
544KB

Download
memory/1064-2632-0x0000000073610000-0x0000000073634000-memory.dmp

Filesize
144KB

Download
memory/1064-2631-0x0000000073640000-0x0000000073689000-memory.dmp

Filesize
292KB

Download
memory/1064-2709-0x0000000000170000-0x0000000000574000-memory.dmp

Filesize
4.0MB

Download
memory/2064-2552-0x0000000001400000-0x0000000001488000-memory.dmp

Filesize
544KB

Download
memory/2064-2462-0x0000000000170000-0x0000000000574000-memory.dmp

Filesize
4.0MB

Download
memory/2064-2546-0x0000000073690000-0x000000007375E000-memory.dmp

Filesize
824KB

Download
memory/2064-2545-0x0000000073760000-0x0000000073A2F000-memory.dmp

Filesize
2.8MB

Download
memory/2064-2538-0x0000000000170000-0x0000000000574000-memory.dmp

Filesize
4.0MB

Download
memory/2064-2483-0x0000000073540000-0x0000000073608000-memory.dmp

Filesize
800KB

Download
memory/2064-2484-0x0000000073430000-0x000000007353A000-memory.dmp

Filesize
1.0MB

Download
memory/2064-2597-0x0000000000170000-0x0000000000574000-memory.dmp

Filesize
4.0MB

Download
memory/2064-2550-0x0000000073540000-0x0000000073608000-memory.dmp

Filesize
800KB

Download
memory/2064-2479-0x0000000073690000-0x000000007375E000-memory.dmp

Filesize
824KB

Download
memory/2064-2478-0x0000000073760000-0x0000000073A2F000-memory.dmp

Filesize
2.8MB

Download
memory/2064-2480-0x0000000073640000-0x0000000073689000-memory.dmp

Filesize
292KB

Download
memory/2064-2481-0x0000000001400000-0x0000000001449000-memory.dmp

Filesize
292KB

Download
memory/2064-2486-0x0000000001400000-0x0000000001488000-memory.dmp

Filesize
544KB

Download
memory/2064-2485-0x00000000733A0000-0x0000000073428000-memory.dmp

Filesize
544KB

Download
memory/2064-2482-0x0000000073610000-0x0000000073634000-memory.dmp

Filesize
144KB

Download
memory/2900-2701-0x00000000733A0000-0x000000007346E000-memory.dmp

Filesize
824KB

Download
memory/2900-2704-0x0000000073640000-0x0000000073689000-memory.dmp

Filesize
292KB

Download
memory/2900-2706-0x0000000073500000-0x000000007360A000-memory.dmp

Filesize
1.0MB

Download
memory/2900-2699-0x0000000073690000-0x0000000073758000-memory.dmp

Filesize
800KB

Download
memory/2900-2710-0x0000000073470000-0x00000000734F8000-memory.dmp

Filesize
544KB

Download
memory/2900-2705-0x0000000073610000-0x0000000073634000-memory.dmp

Filesize
144KB

Download
memory/2900-2718-0x0000000073610000-0x0000000073634000-memory.dmp

Filesize
144KB

Download
memory/2900-2698-0x0000000073760000-0x0000000073A2F000-memory.dmp

Filesize
2.8MB

Download
memory/2900-2695-0x0000000000170000-0x0000000000574000-memory.dmp

Filesize
4.0MB

Download
memory/3152-2496-0x0000000072F70000-0x0000000072FAC000-memory.dmp

Filesize
240KB

Download
memory/3152-2444-0x00000000744A0000-0x00000000744DC000-memory.dmp

Filesize
240KB

Download
memory/3152-2441-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3152-2529-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3424-2611-0x0000000000170000-0x0000000000574000-memory.dmp

Filesize
4.0MB

Download
memory/3424-2591-0x0000000073760000-0x0000000073A2F000-memory.dmp

Filesize
2.8MB

Download
memory/3424-2610-0x0000000073690000-0x000000007375E000-memory.dmp

Filesize
824KB

Download
memory/3424-2613-0x0000000073540000-0x0000000073608000-memory.dmp

Filesize
800KB

Download
memory/3424-2612-0x0000000073760000-0x0000000073A2F000-memory.dmp

Filesize
2.8MB

Download
memory/3424-2604-0x00000000733A0000-0x0000000073428000-memory.dmp

Filesize
544KB

Download
memory/3424-2602-0x0000000073430000-0x000000007353A000-memory.dmp

Filesize
1.0MB

Download
memory/3424-2598-0x0000000073640000-0x0000000073689000-memory.dmp

Filesize
292KB

Download
memory/3424-2600-0x0000000073610000-0x0000000073634000-memory.dmp

Filesize
144KB

Download
memory/3424-2596-0x0000000073690000-0x000000007375E000-memory.dmp

Filesize
824KB

Download
memory/3424-2594-0x0000000073540000-0x0000000073608000-memory.dmp

Filesize
800KB

Download
memory/3424-2589-0x0000000000170000-0x0000000000574000-memory.dmp

Filesize
4.0MB

Download
memory/3568-50-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-36-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-2442-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/3568-48-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-46-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-54-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-56-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-58-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-60-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-44-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-62-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-64-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-66-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-68-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-70-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-1-0x0000000000B90000-0x0000000001298000-memory.dmp

Filesize
7.0MB

Download
memory/3568-72-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-110-0x0000000006010000-0x0000000006020000-memory.dmp

Filesize
64KB

Download
memory/3568-42-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-40-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-38-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-52-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-34-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-32-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-30-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-28-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-26-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-24-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-22-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-20-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-18-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-16-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-14-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-12-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-10-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-9-0x00000000035D0000-0x000000000364C000-memory.dmp

Filesize
496KB

Download
memory/3568-8-0x00000000035D0000-0x0000000003652000-memory.dmp

Filesize
520KB

Download
memory/3568-7-0x00000000087D0000-0x0000000008CF0000-memory.dmp

Filesize
5.1MB

Download
memory/3568-6-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/3568-5-0x0000000005D40000-0x0000000005D4A000-memory.dmp

Filesize
40KB

Download
memory/3568-4-0x0000000006010000-0x0000000006020000-memory.dmp

Filesize
64KB

Download
memory/3568-3-0x0000000005DB0000-0x0000000005E42000-memory.dmp

Filesize
584KB

Download
memory/3568-2-0x0000000006360000-0x0000000006906000-memory.dmp

Filesize
5.6MB

Download
memory/3568-0-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download